*OpenBSD will become vulnerable as much as the running service on top of it.
Hence I will lose the legendary security it has.

To some extent. OpenBSD's code has REALLY been pored over. But,
apache and mysql's has as well.. the "low hanging fruit" security
probelms have been gone from them for years. OpenBSD prevents stack
smashing (those compiler changes). I think you can get a modified
compiler for debian that does too; either way, SELinux will detect
attempts to execute code on the stack and crash out the offending program
(so a buffer overflow will crash the offending app rather than giving the
potential intruder unwanted access.)

No it doesn't.. several years ago, something like 60 or 70% of
hosting domains were on Win2K+IIS, but the security was crap. But, yeah,
Linux is quite secure.

* With OpenBSD I am not going to spend time hardening it but rather trying to
get the services (MySQL, Apache, ...) running on top of it. While in Linux
installing the services is easy but I need to spend good time hardening the
OS itself.

I'd agree with that. OpenBSD will ship with everything FULLY locked
down, and you (carefully, after realizing the security implications) open
things up as you need them. Some Linux distros ships with daemons setup
for maximum usefulness/flexibility trading off (in theory at least)
considerable security. I think Debian is somewhere in between the "open
up everything" and "lock down everthing" crowd, but really the difference
between locked down and fully flexible is changing the configuration
files.. so just make sure to look at them for daemons you are running.

Any hint/comment is welcome.

I'd suggest installing both, Debian w/ SELinux on 1 test box and
OpenBSD on another. To initially test performance, I'd use some slow
test boxes like P2s or lower P3s; a higher end system like you might
actually want to use in production will be hard to time without lots of
users slowing it down 8-). If I had to guess, I'd say the 7% SELinux
penalty will make Debian w/ SELinux and OpenBSD roughly neck-and-neck..
but I'm not sure. If both perform OK I'd go w/ OpenBSD due to the
security. Otherwise, Debian.. just carefully lock down apache, mysql,
etc.. especially, if mysql is set to accept network connections, either
lock it down to a socket or to accept connections only from localhost.

Fwd: Theos presentation on exploit prevention... Some interesting comments on pro-active security appeared on the daily ... depiction we keep wondering when the OpenBSD Team will eventually learn ... about the clever attacker that is exploiting more than buffer overflows. ... the kernel (and the nice bugs in it). ...(Bugtraq)